Payload

Prevents you from accessing your desktop

Variants of the Win32/Weelsof family display a full-screen webpage that they download from a remote host. The page covers all other windows, rendering your PC unusable. It is a fake warning pretending to be from a legitimate institution, which demands the payment of a fine.

Paying the "fine" will not necessarily return your PC to a usable state, so this is not advisable.

These displayed webpages might be detected as a variant of the HTML/Genasom family, like Ransom:HTML/Genasom.A.

Some examples of localized webpages that variants of Win32/Weelsof might display are reproduced here.

An image pretending to be from the Policja; the Polish police force:

An image pretending to be from the Politie; the Dutch police:

An image pretending to be from the Elliniki Astynomia; the Greek police:

Images pretending to be from the Federal Bureau of Investigation; the FBI:

An image pretending to be from the Cuerpro Nacional De Policia; the National Police Corps of Spain:

An image pretending to be from the Policia de Seguranca Publica; the Public Security Police of Portugal:

An image pretending to be from the Polizia di Stato; the State Police of Italy:

An image pretending to be from Polisen; the Swedish Police Service:

An image pretending to be from the Gendermarie Nationale; the National Gendarmarie of France:

An image pretending to be from An Garda Siochana; the Irish National Police Service:

An image pretending to be from the Bundespolizei; the German Federal Police:

Connects to remote servers

In the wild, we have observed Win32/Weelsof downloading the webpages from the following remote hosts via HTTP port 80:

dolores.cursopersona.com

fridayaddon.info

frivnrifr771kfii3834.info

ginnsuilspe94mdjjs.info

pictureicon.org.uk

pictureinteractive.org.uk

pictureinternet.org.uk

picturekeyboard.org.uk

police-center.in

police-central.in

policebrave.info

policebreakable.info

policebreezy.info

re4rwe3sg4744pps5e.info

serveranxious.in

sogood.vitaminavip.com

solovely.kugufejupaqajax.info

sosexy.baby300.info

stiloveu.obavestime.com

trybesmart.in

ultimategood.info

uniquegood.info

urbangood.info

verywell.xan7rafx.biz

vjnfnjfmio3rejioref.ru

weelsoffortune.info

Additional information

We have observed Win32/Weelsof using a variety of legitimate payment and financial transfer services, including the following:

Prevention

You see these entries or keys in your registry:In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunSets value: "<random string>", for example "aefgvpwpvqxksk" With data: "%windir%\<random filename>.exe", for example "dtikagusucrjujsfkutt.exe"